In recent years, use methods have been widely employed, in which file servers on the Internet store electronic data (hereinafter simply referred to as data) and various devices (for example, a notebook PC (Personal Computer), a tablet terminal and a smart phone) access the file servers and use the data.
Such use methods of data are highly convenient, whereas the user methods involve a risk that an unintended third party on the Internet refers to the data.
Therefore, operation of information security, such as encryption and access control, is essential for confidential data.
There is a method described in Patent Literature 1 as a method to execute encryption of and access control on confidential data.
In the method of Patent Literature 1, encryption keys are managed for each group capable of decrypting encrypted data.
In addition, in the method of Patent Literature 1, addition of a member to or deletion of a member from the group capable of decrypting while keeping the encrypted data encrypted.
In business organizations, a change in groups is often triggered by personnel transfers.
The method in Patent Literature 1 is capable of handling a simple personnel transfer event like joining or retirement from a company, whereas the method is incapable of handling complicated personnel transfer events.
For example, in the method of Patent Literature 1, when a complicated personnel transfer event, such as dissolution of secondment or reinstatement after temporary retirement, etc. occurs, it is unable to return the group capable of decryption to a state before secondment or a state before temporary retirement.
Thus, as an encryption technique that satisfies both of complicated access control and encryption, there exists an encryption technique called a functional encryption scheme described in Patent Literature 2.
The functional encryption scheme is a type of a public key cryptosystem.
Unlike an RSA (registered trademark) encryption currently used as the mainstream, the functional encryption scheme is an encryption scheme which enables decryption of encrypted data that has been encrypted with a decryption key to restore the data when a prescribed relation is established between a parameter (hereinafter referred to as a decryption condition) set at the time of encrypting the data, and a parameter (hereinafter referred to as attribute information) set to the decryption key.
For example, a logical formula such as “department=general affairs department AND section=personnel section” is set as a decryption condition at the time of encrypting data, and “department=general affairs department, section=accounting section” is set for a decryption key as attribute information representing a holder of the decryption key.
Then, decryption of the encrypted data is possible only when relation between the decryption condition set at the time of encrypting the data, and the attribute information set for the decryption key is true.
Hereinafter, encrypted data and a decryption condition are collectively called an encrypted file.
As a method to change a decryption condition while keeping an encrypted file that has been encrypted in a functional encryption scheme encrypted, there is a method as described in Non-patent Literature 1.
The scheme described in Non-patent Literature 1 is referred to as a proxy re-encryption scheme.
In the proxy re-encryption scheme, by using a key for re-encryption referred to as a re-encryption key, it is possible to change a decryption condition without decrypting the encrypted file.
However, the scheme described in Non-patent Literature 1 is inefficient, whereby re-encryption can be executed only one to a few times in practice.
Therefore, in the scheme of Non-Patent Literature 2, efficiency is improved from the scheme of Non-Patent Literature 1, where there is no practical limit in the number of re-encryption.